200 likes | 344 Views
Anderson Kill Cyber Insurance & Risk Management Issues. SRMC Montreal, Quebec Insurance Conference Oct. 27 – 29, 2016. Cyber Insurance Coverage: Issues & Risk Management Approaches. Speaker. Joshua Gold, Esq. 212-278-1886 jgold@andersonkill.com. Insurance Coverage In Context.
E N D
Anderson Kill Cyber Insurance & Risk Management Issues SRMC Montreal, Quebec Insurance Conference Oct. 27 – 29, 2016 Cyber Insurance Coverage: Issues & Risk Management Approaches
Speaker Joshua Gold, Esq.212-278-1886jgold@andersonkill.com
Insurance Coverage In Context An Array of Cyber Risks • Ashley Madison, Sony Pictures, German Steel Mill, NY Dam, “Internet of Things“ • Office of Personnel Management hack: biometric data of 22.1 million people • Target: 40 million credit cards compromised; $291mm loss (and counting?) • Ransomware crime wave; Bitcoins demanded • Class action settlements in eight figures • Class action litigation reinstated twice by 7th Circuit • Home Depot settlement of class litigation • $81 to 101 million SWIFT theft at Bangladesh Bank through NY Fed • Dropbox compromised • Yahoo email accounts: 500mm reported
Policies Possibly Covering Cyber Losses • Take Policy Inventory NOW (Not Just After Incidents) • Coverage For Cyber-related Claims May Be Asserted Under: GL, D&O, E&O, Crime, All Risk Property, Cyber Policies For “Social Engineering”, Hacking, Fraudulent Wire Transfers, Malware, Hardware Damage Claims. • 1st Party, 3rd Party, Hybrid Coverage Issues
Cyber Risk Management Issues • Being engaged and proactive minimizes threat and makes insurance recovery more likely • Examine vendor contracts, including cloud services • Map all business data • Limit access to sensitive data inside and outside of the office • Make sure senior management is involved in plans and processes to secure data. • Educate, educate, educate, test.
Top Tips For Nailing Down Cyber Insurance Coverage • Insurance applications: “known risks” • “Retro dates” • Create a clear policy structure: Modules and key coverage grants • Gain symmetry among insurance policies (e.g., CGL and property insurance) • Establish endorsements for particular coverage needs when it comes to cloud storage and service providers and other relevant third-party vendors • “Company as Merchant” exposure: PCI Issues and Brand fines and penalties • Beware of “sub-limit” issues • Beware of breach of contract exclusions (PCI coverage implications) • Beware of conditions respecting "reasonable“ cyber security measures • Business Interruption and “Reputation Damage” insurance—more relevant
Various ways to intrude / hack / steal / disclose: • 1. Company computers (direct attack) • 2. Hosting platforms (infiltration) • 3. Vendor credentials / access (spoofing) • Coverage options are available typically for Company computer and hosting platform exposures, but coverage for vendor credential attacks is rarer and often sub-limited when offered in policies we have seen.
Coverage for Data/Systems Damages • Focus on defined terms in policies • Particularly relevant for terms such as “Data”, “Records” and “Personal Information” • Definitions of “Computer Systems” and similar terms: • Do the definitions encompass devices such as tablets, laptops, thumb drives and other forms of portable storage? • Do the definitions encompass off-line as well as online components?
Coverage for EU Rules /Foreign Agency Regulations Exposures? • Some of the (better) cyber insurance policy forms promise coverage for regulatory and civil law enforcement actions, potentially including; • Coverage for violation of EU rules on storage and transmission of foreign customers’ data • Coverage for proceedings, inquiries, or investigations by foreign equivalents of FTC, DHHS, and other regulators
Problematic Clauses (Time Sensitive, Etc.) • Fear of Reporting Claims? • Timely Notice • Comprehensive Proofs of Loss • Suit Limitation Restrictions • Arbitration Requirements • Choice of Law (Assume the Worst)
Coverage for More Than “Mere” Hacks • Coverage, understandably, is focused on hacks, denial of service attacks, malware, etc. • But “risk” often is more than that—especially considering the role human error often will play • Is there coverage for inadvertent disclosure? • loss of thumb drive with unencrypted data? • Failure to protect data from online search engines? • Is there coverage for violation of Company’s own privacy or data handling policies?
Social Media Insurance Issues • New Avenues for Classic Risks • Traditional Policies May Already Cover • CGL • Professional Liability/E&O • EPLI • Cyber Policies May Provide Tailored Coverage • Comprehensive Pursuit Bridges Potential Gaps
Cyber Litigation Issues • Some cases emerging: • PF Changs (Ariz. Federal court decision) • CNA declaratory judgment lawsuit (Cal. Federal court) • Hotel Monteleone (La. Court & arbitration: sublimits) • Beware of Disclosure During Discovery: • E.g., Sensitive Data, Customer Information, Network Security Blueprints
Cyber Litigation Issues Continued • Not Much Precedent, But Stay Tuned • Current Precedent Not Uniform: compare Sony I case vs. Portal Health 4th Circuit decision and Recall Total • Provide Notice To All Potentially applicable policies • We have secured coverage for policyholders under E&O, D&O, Crime, GL, business package policies, and property policies for cyber related losses and claims.
Questions? Have a question that that did not get addressed during Presentation on Cyber Insurance Coverage?Give us a shout. Joshua Gold, Esq.212-278-1886jgold@andersonkill.com
Disclaimer • The views expressed by the participants in this program are not those of the participants’ employers, their clients, or any other organization. The opinions expressed do not constitute legal advice, or risk management advice. The views discussed are for educational purposes only, and provided only for use during this session.
Thank You Joshua Gold, Esq.212-278-1886jgold@andersonkill.com
Attorney Bio • Joshua Gold, Esq. • As Chair of Anderson Kill's Cyber Insurance Recovery Group, Joshua Gold has represented numerous corporate and non-profit policyholders in a broad range of industries in insurance coverage disputes, obtaining recoveries for his clients well in excess of $1.5 billion. His practice involves matters ranging from data breaches to international arbitration, D&O, business income/property and commercial crime claims, and marine insurance. He has been lead trial counsel in multi-party bench and jury trials, and has negotiated and crafted scores of settlement agreements including coverage-in-place agreements. In a cyber claim dispute of particular importance to businesses purchasing fidelity, crime and financial institution bond coverage, Josh won a multi-million dollar recovery in a landmark U.S. Court of Appeals, Sixth Circuit decision on behalf of a retailer that suffered a data breach as a result of a computer hacking scheme.